ScreenShot
| Created | 2024.02.04 17:12 | Machine | s1_win7_x6403 |
| Filename | probeDLLnocry-crypted.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 48 detected (Stealerium, malicious, high confidence, score, Trojanpws, AdwareDealPly, Fugrafa, unsafe, Midie, Vmxd, Attribute, HighConfidence, a variant of Generik, EPPXSCD, Artemis, PWSX, TrojanPSW, Generic@AI, RDML, GPCktXWxgrmobBBALH4oqQ, Nekark, xrzwi, Inject5, Detected, ai score=84, Sabsik, Casdet, Injection, ZelphiF, rVW@aqrh@Wo, BScope, Chgt, R014H09B224, Gencirc, PossibleThreat, confidence) | ||
| md5 | 353a3b4d65ce9168817e09d5090b2afa | ||
| sha256 | db6db1a60def0b16630069bcb9d354a963a6758966dd08dd54c07b8509ddd5d1 | ||
| ssdeep | 49152:iu5voq9yqVHncEylouiXCvkHDHxj9fc7wwIxHuAkXX9dSq:iu5vPVHnfyNiXCvKDHxj90VVXX9dL | ||
| imphash | bfe5cf47adea756d5b144adf6d3b3603 | ||
| impfuzzy | 96:F6XnJ4KQNbJj9NTX1lNnjyXpNiLfHaDZC:w3eb9TFDe5NY/aDZC | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects the presence of Wine emulator |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (29cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_DynDns | Communications DynDns network | memory |
| notice | network_smtp_raw | Communications smtp | memory |
| notice | Network_SSL | Communications over SSL | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | mzp_file_format | MZP(Delphi) file format | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
PE API
IAT(Import Address Table) Library
kernel32.dll
0x5f5320 GetACP
0x5f5324 CloseHandle
0x5f5328 LocalFree
0x5f532c SizeofResource
0x5f5330 ReadProcessMemory
0x5f5334 TerminateThread
0x5f5338 QueryPerformanceFrequency
0x5f533c IsDebuggerPresent
0x5f5340 VirtualFree
0x5f5344 SetThreadContext
0x5f5348 GetThreadContext
0x5f534c GetFullPathNameW
0x5f5350 GetProcessHeap
0x5f5354 ExitProcess
0x5f5358 HeapAlloc
0x5f535c GetCPInfoExW
0x5f5360 WriteProcessMemory
0x5f5364 RtlUnwind
0x5f5368 GetCPInfo
0x5f536c EnumSystemLocalesW
0x5f5370 GetStdHandle
0x5f5374 GetTimeZoneInformation
0x5f5378 GetModuleHandleW
0x5f537c FreeLibrary
0x5f5380 TryEnterCriticalSection
0x5f5384 HeapDestroy
0x5f5388 ReadFile
0x5f538c CreateProcessW
0x5f5390 GetLastError
0x5f5394 GetModuleFileNameW
0x5f5398 SetLastError
0x5f539c FindResourceW
0x5f53a0 CreateThread
0x5f53a4 CompareStringW
0x5f53a8 LoadLibraryA
0x5f53ac ResetEvent
0x5f53b0 FreeResource
0x5f53b4 GetVersion
0x5f53b8 RaiseException
0x5f53bc FormatMessageW
0x5f53c0 SwitchToThread
0x5f53c4 GetExitCodeThread
0x5f53c8 GetCurrentThread
0x5f53cc LoadLibraryExW
0x5f53d0 LockResource
0x5f53d4 GetCurrentThreadId
0x5f53d8 UnhandledExceptionFilter
0x5f53dc VirtualQuery
0x5f53e0 VirtualQueryEx
0x5f53e4 Sleep
0x5f53e8 EnterCriticalSection
0x5f53ec SetFilePointer
0x5f53f0 ReleaseMutex
0x5f53f4 LoadResource
0x5f53f8 SuspendThread
0x5f53fc GetTickCount
0x5f5400 GetFileSize
0x5f5404 GetStartupInfoW
0x5f5408 GetFileAttributesW
0x5f540c InitializeCriticalSection
0x5f5410 GetThreadPriority
0x5f5414 GetCurrentProcess
0x5f5418 SetThreadPriority
0x5f541c VirtualAlloc
0x5f5420 GetCommandLineW
0x5f5424 GetSystemInfo
0x5f5428 GetTempPathW
0x5f542c LeaveCriticalSection
0x5f5430 GetProcAddress
0x5f5434 ResumeThread
0x5f5438 VirtualAllocEx
0x5f543c GetVersionExW
0x5f5440 VerifyVersionInfoW
0x5f5444 HeapCreate
0x5f5448 LCMapStringW
0x5f544c VerSetConditionMask
0x5f5450 GetDiskFreeSpaceW
0x5f5454 FindFirstFileW
0x5f5458 GetUserDefaultUILanguage
0x5f545c lstrlenW
0x5f5460 SetEndOfFile
0x5f5464 QueryPerformanceCounter
0x5f5468 HeapFree
0x5f546c WideCharToMultiByte
0x5f5470 FindClose
0x5f5474 MultiByteToWideChar
0x5f5478 CreateMutexA
0x5f547c LoadLibraryW
0x5f5480 SetEvent
0x5f5484 CreateFileW
0x5f5488 GetLocaleInfoW
0x5f548c GetLocalTime
0x5f5490 GetEnvironmentVariableW
0x5f5494 WaitForSingleObject
0x5f5498 WriteFile
0x5f549c ExitThread
0x5f54a0 DeleteCriticalSection
0x5f54a4 TlsGetValue
0x5f54a8 GetDateFormatW
0x5f54ac SetErrorMode
0x5f54b0 GetComputerNameW
0x5f54b4 IsValidLocale
0x5f54b8 TlsSetValue
0x5f54bc GetSystemDefaultUILanguage
0x5f54c0 EnumCalendarInfoW
0x5f54c4 LocalAlloc
0x5f54c8 CreateEventW
0x5f54cc SetThreadLocale
0x5f54d0 GetThreadLocale
ole32.dll
0x5f54d8 CoInitializeEx
0x5f54dc CoInitialize
0x5f54e0 CoCreateInstance
0x5f54e4 CoUninitialize
user32.dll
0x5f54ec CharUpperBuffW
0x5f54f0 CharNextW
0x5f54f4 MsgWaitForMultipleObjects
0x5f54f8 CharLowerBuffW
0x5f54fc LoadStringW
0x5f5500 CharUpperW
0x5f5504 PeekMessageW
0x5f5508 GetSystemMetrics
0x5f550c MessageBoxW
oleaut32.dll
0x5f5514 SafeArrayPutElement
0x5f5518 SetErrorInfo
0x5f551c GetErrorInfo
0x5f5520 VariantInit
0x5f5524 VariantClear
0x5f5528 SysFreeString
0x5f552c SafeArrayAccessData
0x5f5530 SysReAllocStringLen
0x5f5534 SafeArrayCreate
0x5f5538 CreateErrorInfo
0x5f553c SafeArrayGetElement
0x5f5540 SysAllocStringLen
0x5f5544 SafeArrayUnaccessData
0x5f5548 SafeArrayPtrOfIndex
0x5f554c VariantCopy
0x5f5550 SafeArrayGetUBound
0x5f5554 SafeArrayGetLBound
0x5f5558 VariantChangeType
msvcrt.dll
0x5f5560 isupper
0x5f5564 isalpha
0x5f5568 isalnum
0x5f556c toupper
0x5f5570 memchr
0x5f5574 memcmp
0x5f5578 memcpy
0x5f557c memset
0x5f5580 isprint
0x5f5584 isspace
0x5f5588 iscntrl
0x5f558c isxdigit
0x5f5590 ispunct
0x5f5594 isgraph
0x5f5598 islower
0x5f559c tolower
advapi32.dll
0x5f55a4 RegQueryValueExW
0x5f55a8 RegCloseKey
0x5f55ac RegOpenKeyExW
EAT(Export Address Table) Library
0x411560 __dbk_fcall_wrapper
0x5f1648 dbkFCallWrapperAddr
kernel32.dll
0x5f5320 GetACP
0x5f5324 CloseHandle
0x5f5328 LocalFree
0x5f532c SizeofResource
0x5f5330 ReadProcessMemory
0x5f5334 TerminateThread
0x5f5338 QueryPerformanceFrequency
0x5f533c IsDebuggerPresent
0x5f5340 VirtualFree
0x5f5344 SetThreadContext
0x5f5348 GetThreadContext
0x5f534c GetFullPathNameW
0x5f5350 GetProcessHeap
0x5f5354 ExitProcess
0x5f5358 HeapAlloc
0x5f535c GetCPInfoExW
0x5f5360 WriteProcessMemory
0x5f5364 RtlUnwind
0x5f5368 GetCPInfo
0x5f536c EnumSystemLocalesW
0x5f5370 GetStdHandle
0x5f5374 GetTimeZoneInformation
0x5f5378 GetModuleHandleW
0x5f537c FreeLibrary
0x5f5380 TryEnterCriticalSection
0x5f5384 HeapDestroy
0x5f5388 ReadFile
0x5f538c CreateProcessW
0x5f5390 GetLastError
0x5f5394 GetModuleFileNameW
0x5f5398 SetLastError
0x5f539c FindResourceW
0x5f53a0 CreateThread
0x5f53a4 CompareStringW
0x5f53a8 LoadLibraryA
0x5f53ac ResetEvent
0x5f53b0 FreeResource
0x5f53b4 GetVersion
0x5f53b8 RaiseException
0x5f53bc FormatMessageW
0x5f53c0 SwitchToThread
0x5f53c4 GetExitCodeThread
0x5f53c8 GetCurrentThread
0x5f53cc LoadLibraryExW
0x5f53d0 LockResource
0x5f53d4 GetCurrentThreadId
0x5f53d8 UnhandledExceptionFilter
0x5f53dc VirtualQuery
0x5f53e0 VirtualQueryEx
0x5f53e4 Sleep
0x5f53e8 EnterCriticalSection
0x5f53ec SetFilePointer
0x5f53f0 ReleaseMutex
0x5f53f4 LoadResource
0x5f53f8 SuspendThread
0x5f53fc GetTickCount
0x5f5400 GetFileSize
0x5f5404 GetStartupInfoW
0x5f5408 GetFileAttributesW
0x5f540c InitializeCriticalSection
0x5f5410 GetThreadPriority
0x5f5414 GetCurrentProcess
0x5f5418 SetThreadPriority
0x5f541c VirtualAlloc
0x5f5420 GetCommandLineW
0x5f5424 GetSystemInfo
0x5f5428 GetTempPathW
0x5f542c LeaveCriticalSection
0x5f5430 GetProcAddress
0x5f5434 ResumeThread
0x5f5438 VirtualAllocEx
0x5f543c GetVersionExW
0x5f5440 VerifyVersionInfoW
0x5f5444 HeapCreate
0x5f5448 LCMapStringW
0x5f544c VerSetConditionMask
0x5f5450 GetDiskFreeSpaceW
0x5f5454 FindFirstFileW
0x5f5458 GetUserDefaultUILanguage
0x5f545c lstrlenW
0x5f5460 SetEndOfFile
0x5f5464 QueryPerformanceCounter
0x5f5468 HeapFree
0x5f546c WideCharToMultiByte
0x5f5470 FindClose
0x5f5474 MultiByteToWideChar
0x5f5478 CreateMutexA
0x5f547c LoadLibraryW
0x5f5480 SetEvent
0x5f5484 CreateFileW
0x5f5488 GetLocaleInfoW
0x5f548c GetLocalTime
0x5f5490 GetEnvironmentVariableW
0x5f5494 WaitForSingleObject
0x5f5498 WriteFile
0x5f549c ExitThread
0x5f54a0 DeleteCriticalSection
0x5f54a4 TlsGetValue
0x5f54a8 GetDateFormatW
0x5f54ac SetErrorMode
0x5f54b0 GetComputerNameW
0x5f54b4 IsValidLocale
0x5f54b8 TlsSetValue
0x5f54bc GetSystemDefaultUILanguage
0x5f54c0 EnumCalendarInfoW
0x5f54c4 LocalAlloc
0x5f54c8 CreateEventW
0x5f54cc SetThreadLocale
0x5f54d0 GetThreadLocale
ole32.dll
0x5f54d8 CoInitializeEx
0x5f54dc CoInitialize
0x5f54e0 CoCreateInstance
0x5f54e4 CoUninitialize
user32.dll
0x5f54ec CharUpperBuffW
0x5f54f0 CharNextW
0x5f54f4 MsgWaitForMultipleObjects
0x5f54f8 CharLowerBuffW
0x5f54fc LoadStringW
0x5f5500 CharUpperW
0x5f5504 PeekMessageW
0x5f5508 GetSystemMetrics
0x5f550c MessageBoxW
oleaut32.dll
0x5f5514 SafeArrayPutElement
0x5f5518 SetErrorInfo
0x5f551c GetErrorInfo
0x5f5520 VariantInit
0x5f5524 VariantClear
0x5f5528 SysFreeString
0x5f552c SafeArrayAccessData
0x5f5530 SysReAllocStringLen
0x5f5534 SafeArrayCreate
0x5f5538 CreateErrorInfo
0x5f553c SafeArrayGetElement
0x5f5540 SysAllocStringLen
0x5f5544 SafeArrayUnaccessData
0x5f5548 SafeArrayPtrOfIndex
0x5f554c VariantCopy
0x5f5550 SafeArrayGetUBound
0x5f5554 SafeArrayGetLBound
0x5f5558 VariantChangeType
msvcrt.dll
0x5f5560 isupper
0x5f5564 isalpha
0x5f5568 isalnum
0x5f556c toupper
0x5f5570 memchr
0x5f5574 memcmp
0x5f5578 memcpy
0x5f557c memset
0x5f5580 isprint
0x5f5584 isspace
0x5f5588 iscntrl
0x5f558c isxdigit
0x5f5590 ispunct
0x5f5594 isgraph
0x5f5598 islower
0x5f559c tolower
advapi32.dll
0x5f55a4 RegQueryValueExW
0x5f55a8 RegCloseKey
0x5f55ac RegOpenKeyExW
EAT(Export Address Table) Library
0x411560 __dbk_fcall_wrapper
0x5f1648 dbkFCallWrapperAddr